Sounds like a vulnerability was found and once in it just replicated itself. Changing the passwords are good, but you're going to want to find the backdoor that is letting theme in to ensure it doesn't happen again.

@joacim are you using any kind of auditing that would allow you to see the activity on your instance? Anything that tracks IPs and or checks for integrity? Also, what have you done to harden your environment?